The RansomHub ransomware operation is now employing a Linux encryptor specifically designed to target VMware ESXi environments during corporate attacks.
Launched in February 2024, RansomHub operates as a ransomware-as-a-service (RaaS) with connections to ALPHV/BlackCat and Knight ransomware. The group has claimed over 45 victims across 18 countries.
Since early May, both Windows and Linux RansomHub encryptors have been confirmed. Recently, Recorded Future reported that the group also possesses an ESXi variant, first observed in April 2024. Unlike the Windows and Linux versions written in Go, the ESXi encryptor is a C++ program, likely evolved from the now-defunct Knight ransomware.
Interestingly, Recorded Future identified a bug in the ESXi variant that defenders can exploit to cause the encryptor to enter an endless loop, thereby evading encryption.
Enterprises widely use virtual machines to manage their servers due to their efficient CPU, memory, and storage resource management. Consequently, many ransomware gangs have developed dedicated VMware ESXi encryptors to target these environments. RansomHub’s ESXi encryptor supports various command-line options, including setting execution delays, specifying VMs to exclude from encryption, and targeting specific directory paths.
This article has been indexed from CySecurity News – Latest Information Security and Hacking Incidents
Read the original article: